cidaas

What Is cidaas?

Managing customer identity at scale has a compliance problem. Every touchpoint where a user authenticates, consents to data processing, or updates their profile is a potential GDPR liability — and for organisations operating in the EU, those liabilities accumulate fast. Auth0 and Okta are the default answers, but both route data through US infrastructure, creating a legal grey zone that European DPOs are increasingly unwilling to sign off.

cidaas exists as the EU-native answer to that problem. Developed by Widas ID GmbH in Wimsheim, Germany, it has operated since 2016 as a Customer Identity and Access Management (CIAM) platform built from the ground up for European regulatory requirements. In 2026, KuppingerCole Analysts named cidaas Overall Leader in their CIAM Leadership Compass — the first time a European-headquartered vendor has taken the top position in that report.

The platform covers the full identity lifecycle: from first-touch registration and social login through multi-factor authentication, consent versioning, and right-to-erasure workflows. It serves mid-market and enterprise clients across DACH industries including financial services, healthcare, and public sector — markets where GDPR compliance is a purchase blocker, not an afterthought.

For developers and architects evaluating identity providers, cidaas occupies a specific position: it is not the cheapest option, nor the one with the largest open-source community. It is the option where EU data residency and regulatory compliance are guaranteed by architecture rather than configured as options.

Key Features

Passwordless Authentication

The shift away from passwords is the clearest trend in enterprise identity, and cidaas has built passwordless as a first-class concern. The platform supports passkeys (WebAuthn), magic links, TOTP, and biometric authentication across web and mobile. For consumer-facing applications, removing the password from the default login flow reduces abandonment at registration and cuts account takeover risk simultaneously.

The implementation handles the complexity that developers usually face when rolling their own — cross-device passkey sync, fallback flows for legacy devices, and accessibility requirements — through a configurable no-code flow builder that works for both B2C and B2B deployments.

Consent Management with Audit Trail

This is where cidaas distinguishes itself most clearly from US-headquartered competitors. Consent management in cidaas is not a bolt-on checkbox: it includes consent versioning, granular scope management (marketing, analytics, profiling), and a complete audit trail of when each user gave, modified, or withdrew consent for each purpose.

For organisations running Subject Access Requests or responding to supervisory authority inquiries, this audit trail is operationally valuable. The platform also handles right-to-erasure workflows — including cascading deletion across connected services via webhook — which takes a genuinely complex compliance operation and makes it manageable.

Fraud Detection and Risk-Based Authentication

cidaas includes a fraud detection engine that scores authentication attempts based on device fingerprint, location, behaviour patterns, and IP reputation. High-risk attempts trigger additional verification challenges; low-risk sessions move through frictionlessly. This is the same risk-adaptive approach that enterprise banks use internally, packaged as a configurable policy engine.

The KYC module — cidaas ID Validator — extends this to identity verification, integrating document scanning and liveness checks for use cases that require stronger assurance levels than a password can provide.

Multi-Tenant CIAM

B2B SaaS products face a specific identity challenge: each enterprise customer wants their own user namespace, login customisation, and potentially their own identity provider (SAML federation from the customer's corporate directory). cidaas handles this through native multi-tenancy — one cidaas deployment can manage separate identity spaces for hundreds of client organisations, each with their own branding, policies, and federation configuration.

OAuth 2.0 / OpenID Connect Identity Provider

cidaas acts as a full OIDC identity provider, making it the authoritative source for tokens consumed by other services in the stack. It supports SAML 2.0 for legacy enterprise applications and OAuth 2.0 for modern APIs, with token management, refresh token rotation, and API security as first-class features.

Pricing

cidaas does not offer a free tier. The CIAM entry plan starts at €499/month for up to 10,000 Monthly Active Users (MAU), covering SSO, MFA, social login, and consent management. This positions cidaas as a mid-market and enterprise product — the cost model makes sense at scale but is prohibitive for pre-revenue startups or individual developers.

Above the entry plan, Professional CIAM pricing for higher MAU volumes is custom-quoted based on scale, industry, and support requirements. Workforce IAM (employee identity) and Enterprise tiers are also custom-quoted.

A 30-day trial is available. For organisations comparing cidaas against Auth0, the relevant comparison is Auth0's Business plan ($800+/month at comparable MAU) with a US data processing addendum — versus cidaas at €499/month with EU data residency as a default.

The total cost of ownership calculation changes when compliance costs are included. Organisations that have negotiated DPAs with US providers, run privacy impact assessments, and maintained cross-border transfer documentation will recognise that EU-native infrastructure has an economic argument beyond the headline price.

EU Compliance & Privacy

cidaas processes all data in EU data centres, with no transfers to third countries. The legal entity, Widas ID GmbH, is subject to EU jurisdiction. The platform holds ISO 27001 certification and BSI C5 attestation — the German Federal Office for Information Security's cloud security standard that is increasingly required for public sector and financial services deployments in Germany.

For organisations that need to demonstrate GDPR compliance to a supervisory authority, cidaas offers more than most competitors: built-in consent lifecycle management, right-to-erasure automation, and the audit trail needed to evidence compliance decisions. eIDAS compatibility supports cross-border electronic identification within the EU.

The platform's alignment with the EU AI Act is in progress for its fraud detection and identity verification components, which are classified as AI systems under the Act's risk framework.

Who It's Best For

Enterprises in regulated DACH industries — healthcare, finance, insurance, public sector — where BSI C5 attestation or demonstrable EU data residency is a procurement requirement. cidaas removes the compliance conversation that US providers require.

B2B SaaS vendors with enterprise customers who need to offer tenant isolation, SAML federation from customer corporate directories, and white-label login pages. The multi-tenant architecture handles this natively.

Consumer-facing brands in EU markets running Subject Access Requests or managing complex consent versioning across marketing, analytics, and profiling purposes. The consent audit trail is operationally valuable.

Organisations migrating off Auth0 or Okta specifically to address EU data residency requirements. cidaas offers comparable feature depth with a straightforward migration path for OIDC-based integrations.

The Verdict

cidaas is not trying to be the Auth0 for everyone. It is the enterprise-grade CIAM platform for organisations where EU data residency is a hard requirement, and it executes that position well. The 2026 KuppingerCole Overall Leader recognition validates what European IT departments have known for some time: that the platform competes at the top tier on feature depth, not just on geography.

The limitations are real: no free tier, thinner developer community, and a DACH focus that shows in documentation and support coverage. But for any mid-market or enterprise buyer in the EU whose DPO has concerns about US cloud providers, cidaas makes a compelling case.

Frequently Asked Questions

Is cidaas GDPR compliant?

Yes. cidaas processes all data in EU data centres under German jurisdiction. It includes built-in consent lifecycle management, data portability exports, and right-to-erasure workflows. ISO 27001 and BSI C5 attestation are both current. No Standard Contractual Clauses or US data transfer documentation are required.

How does cidaas compare to Auth0?

Both platforms offer comparable CIAM feature sets at similar price points for mid-market deployments. The key differences: cidaas provides EU-hosted infrastructure by default, BSI C5 attestation, and built-in consent management as a core feature. Auth0 has a larger developer community, more extensive open-source tooling, and a broader third-party integration catalogue. For EU-regulated organisations, cidaas removes data transfer compliance complexity that Auth0 requires.

Does cidaas support passwordless authentication?

Yes. cidaas supports passkeys (WebAuthn), magic links, TOTP, biometric authentication, and SMS OTP as passwordless options. The platform includes a flow builder for configuring passwordless as the default experience with appropriate fallback paths for older devices.

Is there a free plan or trial?

There is no permanent free tier. cidaas offers a 30-day trial. Paid plans start at €499/month for CIAM, covering up to 10,000 MAU with SSO, MFA, social login, and consent management included.

Which industries is cidaas best suited for?

cidaas has deepest traction in DACH markets across financial services, healthcare, insurance, and public sector. These are industries where BSI C5 attestation, GDPR audit trails, and EU data residency are procurement requirements rather than preferences. The platform also serves retail and e-commerce brands managing high-volume consumer identity.